COMMSEC: PyREBox: Making Dynamic Instrumentation Great Again

PyREBox (Python scriptable Reverse Engineering Sandbox) is an open-source tool focused on reverse engineering that provides instrumentation and debugging capabilities on top of the QEMU emulator. It won the 1st prize on the Volatility Plugin Contest in late 2017.

PyREBox allows to inspect a running QEMU VM, to modify its memory or registers, and to instrument its execution with simple Python scripts. It combines whole-system-emulation (QEMU) with Virtual Machine Introspection (Volatility) and does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time.

One of the possible applications of this tool is malware analysis. It allows to debug any process running on the system and also to instrument the execution of the VM with simple Python scripts to automate common tasks, such as API call tracing, code coverage analysis, monitoring inter-process communication, or unpacking.

In this talk I will present an overview of PyREBox, how it works internally, and how it compares to other tools. I will explain some of the challenges found in implementing python-based fine-grained instrumentation, and how PyREBox tries to solve them. Finally, I will show how to take advantage of PyREBox for malware analysis, releasing as open-source a set of scripts for PyREBox and IDA Pro that are not public yet.